BitPim Gem

Hey all you CDMA fans…got a little forensic gem for you that you may not have known about. I discovered this the other day whilst examining a locked Audiovox 8910.

BitPim does not explicitly provide support for this phone however, by choosing “Other CDMA” and selecting the modem port recognized by BitPim I was able to take a read (Caveat-only partial since a manual follow-up showed that BitPim did miss some areas)of the filesystem….

Did I mention that the phone has a security code!!!????

Yes, thats right, it went around the security code!!!!

I found the Security Code (plus the default) in the NVM filesystem area. It was located in the NVM_002 file starting at 119 and ending at offset 122 (1289). Concidentally this is the same file where the Banner is located (in this case starting at offset 57 and going for fifteen bytes and ending at offset 71 “WHERE”S DA MONEY”).

I confirmed the Security Code with the one given to the OIC and a manual unlock. I also confirmed the banner with a manual look.

Hey, I am working a sexual assault case right now and this little tip worked WONDERS. I was stuck to QPST’ing a phone or bitpim’ing it and copying contents for evidence. Well with this I was able to get that could and do a very court friendly Cellebrite dump afterwards. Your a life saver! Thanks!

Right on 🙂 Also may I note that my code was not found at offset 119. It began at offset 70. The file name was also called nvm_0002 as opposed to nvm_002. This is from an LG AX5000. Just incase the technical dirt interested you. I viewed the hex using WinHex.